taigrr/nats.docs
1
0
Fork 0
mirror of https://github.com/taigrr/nats.docs synced 2025-01-18 04:03:23 -08:00
Code Issues Projects Releases Wiki Activity

mention nats based resolver in nats account server

Browse Source 
Signed-off-by: Matthias Hanel <mh@synadia.com>
This commit is contained in:
Matthias Hanel 2021-02-09 17:08:18 -05:00
parent dad3450866
commit 354355f85b
2 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nats-server/configuration/securing_nats/jwt/resolver.md
View File

@ -45,7 +45,7 @@ Their commonalities are that they exchange/lookup account jwt via nats and the s
This resolver stores all jwt and exchanges them in an eventually consistent way with other resolver of the same type. This resolver stores all jwt and exchanges them in an eventually consistent way with other resolver of the same type.
[`nsc`](../../../../nats-tools/nsc/README.md) supports push/pull/purge with this resolver type. [`nsc`](../../../../nats-tools/nsc/README.md) supports push/pull/purge with this resolver type.
Jwt, uploaded this way, are stored in a directory the server has exclusive access to. [JWTs](../../nats-server/configuration/securing_nats/jwt/), uploaded this way, are stored in a directory the server has exclusive access to.
```yaml ```yaml
resolver: { resolver: {
@ -75,7 +75,7 @@ You need enough to still serve your workload adequately, while some server are o
### cache ### cache
This resolver only stores a subset of jwt and evicts extra ones based on an LRU scheme. This resolver only stores a subset of [JWT](../../nats-server/configuration/securing_nats/jwt/) and evicts extra ones based on an LRU scheme.
Missing jwt are downloaded from `full` nats based resolver. Missing jwt are downloaded from `full` nats based resolver.
This resolver is essentially the URL Resolver in nats. This resolver is essentially the URL Resolver in nats.
@ -93,10 +93,10 @@ resolver: {
### nats based resolver - integration ### nats based resolver - integration
nats based resolver utilize the system account for lookup and upload of account jwt. nats based resolver utilize the system account for lookup and upload of account [JWTs](../../nats-server/configuration/securing_nats/jwt/) .
If your application requires tighter integration you can make use of these subjects for tighter integration. If your application requires tighter integration you can make use of these subjects for tighter integration.
To upload or update a possibly on the fly generated account jwt without `nsc`, send it as request to `$SYS.REQ.CLAIMS.UPDATE`. To upload or update a possibly on the fly generated account jwt without [`nsc`](../../../../nats-tools/nsc/README.md), send it as request to `$SYS.REQ.CLAIMS.UPDATE`.
Each participating `full` nats based account resolver will respond with a message detailing success or failure. Each participating `full` nats based account resolver will respond with a message detailing success or failure.
To serve a requested account jwt yourself, subscribe to `$SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP` and respond with the account jwt corresponding to the requested account id (wildcard). To serve a requested account [JWT](../../nats-server/configuration/securing_nats/jwt/) yourself and essentially implement an account server, subscribe to `$SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP` and respond with the account jwt corresponding to the requested account id (wildcard).

11
nats-tools/nas/README.md
View File

@ -1,11 +1,14 @@
# nats-account-server # nats-account-server
The [NATS Account Server](https://github.com/nats-io/nats-account-server) is an HTTP server that hosts and vends [JWTs](../../nats-server/configuration/securing_nats/jwt/) for nats-server 2.0 account authentication. The server supports an number of stores which enable it to serve account [JWTs](../../nats-server/configuration/securing_nats/jwt/) from: The [NATS Account Server](https://github.com/nats-io/nats-account-server) is an HTTP server that hosts and vends [JWTs](../../nats-server/configuration/securing_nats/jwt/) for nats-server 2.0 account authentication. The server supports an number of stores which enable it to serve account [JWTs](../../nats-server/configuration/securing_nats/jwt/) from a [directory](nas_conf.md#directory-configuration)
* a [directory](nas_conf.md#directory-configuration)
* an [NSC](../nsc/nsc.md) [directory](nas_conf.md#nsc-configuration)
> The nats server can be configured with a [memory resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#memory) as well. This avoids usage of the account server. > The nats server can be configured with a [memory resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#memory) as well. This avoids usage of the account server.
> The nats server can be configured with a [nats based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) for the same purpose as well.
>
> Usage of [full nats based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) over [NATS Account Server](https://github.com/nats-io/nats-account-server) is recommended.
>
> The [NATS Account Server](https://github.com/nats-io/nats-account-server) also speaks the [full nats based resolver](../../nats-server/configuration/securing_nats/jwt/resolver.md#nats-based-resolver) protocol and
> can be used as such.
The server can operate in a _READ ONLY_ mode where it serves content from a directory, or in [notification mode](notifications.md), where it can notify a NATS server that a JWT in the store has been modified, updating the NATS server with the updated JWT. The server can operate in a _READ ONLY_ mode where it serves content from a directory, or in [notification mode](notifications.md), where it can notify a NATS server that a JWT in the store has been modified, updating the NATS server with the updated JWT.